1

I'm developing a microservice with Spring Boot and Feign for external services access. I have to access an external service in a test/development environment. This environment has another instance that is hosted at a different location. The problem is that this test URL hasn't a valid SSL certificate, and the feign configuration seems to fail.

I tried adding the application.yml file:

feign:
  httpclient:
    disable-ssl-validation: true

but I still get the same Exception: 

feign.RetryableException: No subject alternative names matching IP address someIp found executing POST https://someIp:someport/somePath

And after further investigation, I've found that it was caused by a java.security.cert.CertificateException

Shouldn't this application.yml configuration disable the SSL certificate validation and, therefore, avoid this exception?

Leonardo Meinerz Ramos
  • 340
  • 5
  • 20
  • 1
    Question is not clear. Can you please elaborate and ask specific question? – CodeRider Dec 04 '19 at 13:02
  • https://stackoverflow.com/questions/19540289/how-to-fix-the-java-security-cert-certificateexception-no-subject-alternative – user6250770 Dec 04 '19 at 13:05
  • Are you using EUREKA and Ribbon or any other service registry or load balance? – CodeRider Dec 04 '19 at 14:12
  • @LeonardoMeinerzRamos Application which is secured with SSL (or TLS for that matter) cannot be accessed via HTTP. So if you dissable ssl validation then you wont cannot call HTTPS (as the error msg you shared). But you can call ie. HTTP to HTTP. For the target server should dissable SSL. Hope I am clear. – CodeRider Dec 04 '19 at 14:19
  • @CodeRider I'm not using any service registry or load balancer yet. – Leonardo Meinerz Ramos Dec 04 '19 at 17:33
  • @CodeRider If I understood your last comment, your suggestion is to disable SSL on the target server and use HTTP instead. Is this correct? If it is, I'm afraid that is not possible. The production environment's SSL certificate IS VALID, the problem is the test environment that only has a copy of the production certificate, which is invalid. – Leonardo Meinerz Ramos Dec 04 '19 at 17:38
  • Ok, I've added a Feign Configuration class to the client to disable SSL by code and it worked out, but I still would like to know why this YML configuration does not work – Leonardo Meinerz Ramos Dec 04 '19 at 18:45
  • @LeonardoMeinerzRamos I hope i have answered it in your way. Please mark my solution as answer if you understood the scenario here. – CodeRider Dec 05 '19 at 07:39
  • @LeonardoMeinerzRamos, can you share your code Feign Configuration class? I am facing this same problem. – Flavio Oliva Mar 24 '21 at 12:45

1 Answers1

-1

As discussed in comments, we should not call secured (HTTPS) services in a unsecured way (HTTP). Not only does it violate the same origin policy, but since the service you are calling from is insecure it has the potential to be interfered with and leak all the data you are trying to keep secure. Use HTTPS for the entire process.

Get the certificates installed in calling and target machines. This would cover your entire testing cycle.

CodeRider
  • 564
  • 4
  • 15
  • 2
    This is correct, but it does not answer the question: "Shouldn't this application.yml configuration disable the SSL certificate validation and, therefore, avoid this exception?" – Leonardo Meinerz Ramos Dec 05 '19 at 18:17
  • You can call the target server if it is also running on http. You need to disable ssl in your targer server and restart it. Then you code should work. Because your non ssl request is looking for ssl request you got that error – CodeRider Dec 06 '19 at 16:37